The "Production" Nightmare
It was a regular Tuesday afternoon in my 5th-semester Secure Software Systems lecture. But one line from the professor stuck with me:
Fixing a vulnerability after deployment is like changing a tire while the car is moving at 80 km/h.
That analogy hit hard.
As a cybersecurity student — and the Team Lead of the Cyber ESS Team — I started thinking about the tools we were using. They were powerful, no doubt. But they felt heavy. Slow. Intimidating. Like machinery designed for experts, not for students still learning the craft.
And that's where the idea began.
If security feels like a burden, developers will avoid it. If it feels natural, they'll adopt it. We didn't want to build another tool — we wanted to change when and how developers think about security.
The Philosophy: Making Security Invisible
The idea was simple: don't force developers to go to security — bring security to them.
Familiarity Over Friction
Most tools require you to leave your workflow — open a website, paste code, wait for results. We didn't want that. We chose to build inside VS Code — the place where developers already spend most of their time. No context switching. No friction. Just write code and get feedback instantly.
Designing for Comfort, Not Fear
Security tools often use aggressive tones — red warnings, complex terminology, and overwhelming outputs. We intentionally avoided that. Instead of a "hacker aesthetic," we went with a clean, modern UI. Because security isn't a dark art — it's just good engineering.
Making Security a Habit
Our real goal wasn't just detection. It was behavior change. If developers start seeing security feedback as part of their normal coding flow, they'll naturally write better, safer code over time.
Under the Hood: Building the AI Engine
Once the idea was clear, the real challenge began. How do you build a powerful security scanner without heavy infrastructure?
The AI Approach
Running large models locally wasn't realistic for a student project. So we took a smarter route. We used APIs through platforms like Hugging Face to access advanced models such as DeepSeek.
This gave us:
- Lightweight performance — no local heavy compute required
- Fast responses across multiple scans
- Multi-language support: JavaScript, Python, Java, C++
It allowed us to focus on experience, not infrastructure.
The Real Challenge: The Webview
If there was one part that tested us the most, it was the Webview. We didn't want plain text output — that would defeat the purpose. We wanted something interactive and genuinely useful.
So we built:
- Color-coded severity badges — CRITICAL, HIGH, MEDIUM, LOW
- Side-by-side comparison of vulnerable code and suggested fix
- Actionable solutions — not just warnings
Don't just tell developers what's wrong — show them how to fix it. The goal was to turn security findings into learning moments, not blockers.
Beyond Code: Learning to Think Differently
This project changed how we look at software development entirely.
Thinking Like a Developer vs. a Security Reviewer
As developers, we usually ask: "Does this work?"
But security forces a different question: "Can this be broken?"
We had to train ourselves to think from both perspectives. That mindset shift alone made the project worth it.
Balancing Accuracy and Simplicity
A tool that detects everything but explains nothing is useless. We focused on clarity:
- Simple explanations over security jargon
- Direct, copy-paste-ready fixes
- Minimal cognitive load for the reader
A tool is only effective if people actually understand it.
— Lesson learned building AIVS
The Team Behind It: Cyber ESS
The most meaningful part of this journey wasn't the technology. It was the people.
As a team lead, my role wasn't just to build — but to guide. We explored concepts that were completely new to many of us:
- Secure API key handling using VS Code's global state storage
- Asynchronous programming to keep the UI responsive during scans
- Debugging real-world issues like regex failures and Webview rendering bugs
There were long nights. There were moments where nothing worked. But slowly, things started clicking. And that moment — when an idea becomes a working system — is something every builder should experience at least once.
Key Features We Implemented
Each feature was designed with one principle in mind: make security simple.
What We Learned Along the Way
Looking back, this project taught us far more than just coding.
The Bigger Vision
This project started as a classroom idea. But it showed us something bigger.
AI-assisted development is not the future — it's already here. And security tools need to evolve with it.
In the future, tools like this could:
- Run continuously and passively as you write
- Learn from your codebase patterns over time
- Prevent vulnerabilities before they even get typed
Don't wait for a job. Don't wait for the perfect idea. Don't wait until you feel "ready." If something feels broken — or unnecessarily complicated — try to fix it. That's how this project started. Not with a grand vision. Just with a simple thought: "Why does security have to feel this hard?"
Sometimes the best projects don't come from labs or companies. They come from classrooms, curiosity, and the courage to build something better.